Fix TektonInstallerSet deadlock when resources have deletionTimestamp

[jkhelil]

Changes

• Added installerSetName parameter to ensureResources() and all callers
• Checks OwnerReferences to determine if resource belongs to this InstallerSet
• Only waits for owned resources, skips others
• Allows reconciliation to continue even with TERMINATING CRDs

Fixes #2474

The operator enters a deadlock when any resource (e.g., CRD) has a deletionTimestamp during InstallerSet reconciliation. The current code immediately aborts the entire reconciliation phase, preventing critical namespace-scoped resources (ServiceAccounts, RBAC) from being created.

Symptoms:

• No ServiceAccounts created in openshift-pipelines namespace
• InstallerSets stuck with "reconcile again and proceed"
• No component pods running (Deployments fail: serviceaccount not found)
• Webhooks unavailable → TektonConfig can't reconcile
• Operator logs show infinite CRD fetching loop

Impact: Complete operator failure during installations, upgrades, downgrades, or recovery operations.

Root Cause

Location: pkg/reconciler/kubernetes/tektoninstallerset/install.go:166-168

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

• Run make test lint before submitting a PR
• Includes tests (if functionality changed/added)
• Includes docs (if user facing)
• Commit messages follow commit message best practices

See the contribution guide for more details.

Release Notes

NONE

[tekton-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please ask for approval from jkhelil after the PR has been reviewed.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jkhelil]

@vdemeester @anithapriyanatarajan PTAL

[anithapriyanatarajan]

/kind bug

[anithapriyanatarajan]

@jkhelil - could you help with steps to reproduce the issue?

[anithapriyanatarajan]

Would it be ok to log the finalizer name as well and Deletion time stamp here?

[jkhelil]

@jkhelil - could you help with steps to reproduce the issue?
It’s a somewhat strange error that we’ve been carrying across several versions. if you remember all the issues people encountered during upgrades
what happens:
Some TaskRuns or PipelineRuns have finalizers. A user tries to delete TektonConfig to uninstall the operator because they notice a problem during an upgrade, or because teams are experiencing etcd or infrastructure issues.
When TektonConfig is deleted, the CRDs are also removed, but they get stuck due to the finalizers on the TaskRuns. The user doesn’t see this because they delete TektonConfig and don’t monitor the remaining resources. TektonConfig appears as deleted.
The user then tries to reinstall or upgrade using a new CSV, but it doesn’t work. This is because the installer set is stuck in a loop: it checks whether there is a deletion timestamp on the CRDs and keeps reconciling again. The loop never proceeds to the next step (installing the service accounts, RBAC, etc.).
The user ends up seeing an error related to the webhook service account, but in reality there is nothing wrong with it — the installer set is simply stuck continuously reconciling.

to reproduce, install once, have some workload, check finaliers are there, delete tektonconfig, reinstall or do an upgrade